From 233105d2c9d1a2c6911342d8249b19310e94c251 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Sun, 16 May 2010 19:42:40 +0200 Subject: OCSP_check.sh: new check logic contrib/OCSP_check/OCSP_check.sh: I discovered that, quite surprisingly, the exit status of "openssl ocsp" is 0 even if the certificate status is "revoked". This means that the logic of the script needs to be rewritten so that it parses the output returned by the query and explicitly looks for a "0x: good" line, and exit if either the command has a non-zero exit status, or the above line is not found. Doing that portably without bashisms requires some juggling around, so perhaps the code is slightly less clean now, but it does have many comments. Signed-off-by: Davide Brini Signed-off-by: David Sommerseth Acked-by: David Sommerseth --- contrib/OCSP_check/OCSP_check.sh | 42 ++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh index 2ffe5d6..847be45 100644 --- a/contrib/OCSP_check/OCSP_check.sh +++ b/contrib/OCSP_check/OCSP_check.sh @@ -63,27 +63,49 @@ fi # begin if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then + eval serial="\$tls_serial_${cur_depth}" - # Check that the serial is not empty + # To successfully complete, the following must happen: + # + # - The serial number must not be empty + # - The exit status of "openssl ocsp" must be zero + # - The output of the above command must contain the line + # "0x${serial}: good" + # + # Everything else fails with exit status 1. + if [ -n "$serial" ]; then # This is only an example; you are encouraged to run this command (without # redirections) manually against your or your CA's OCSP server to see how # it responds, and adapt accordingly. - # Sample output: + # Sample output that is assumed here: # # Response verify OK # 0x428740A5: good # This Update: Apr 24 19:38:49 2010 GMT # Next Update: May 2 14:23:42 2010 GMT - - openssl ocsp -issuer "$issuer" \ - "$nonce" \ - -CAfile "$verify" \ - -url "$ocsp_url" \ - -serial "0x${serial}" >/dev/null 2>&1 - else - exit 1 + # + # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL + # can in some circumstances give a "good" result if it could not + # reach the the OSCP server. In this case, the exit code will indicate + # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, + # don't trust the OpenSSL status. + + status=$(openssl ocsp -issuer "$issuer" \ + "$nonce" \ + -CAfile "$verify" \ + -url "$ocsp_url" \ + -serial "0x${serial}" 2>/dev/null) + + if [ $? -eq 0 ]; then + # check that it's good + if echo "$status" | grep -Fq "0x${serial}: good"; then + exit 0 + fi + fi fi + # if we get here, something was wrong + exit 1 fi -- cgit v1.2.3